User Profile
Sarahzin_Shane
MicrosoftJoined 5 years ago
User Widgets
Recent Discussions
Re: Allow Copy paste only within Office365 in Browser
Hi Hansm_NL, Gotcha. If I’m understanding correctly, you don’t want the info to go from browser to 365 thick client versions, right? If that is the case, yes. Copy/Paste would need to be blocked for for Office 365. We also have a non-MCAS capability in preview, endpoint DLP, which might be something that would also help. Please let me know!Re: Block file download in O365 for non intune compliant device
Alex_Tsang0107 Hi Alex, Unfortunately, session policies only work for Browser and in this case, the Android would not get this session policy. Are you saying that the Android is popping up as AAD joined instead of Intune compliant? Lastly, for the Browser, is that working? Thank you! SarahzinRe: Allow Copy paste only within Office365 in Browser
Hansm_NL Hi! When you say it isn't working, do you mean that MCAS is still blocking copy/paste for Office 365? Or, that MCAS is NOT blocking copy/paste for non Office 365 apps configured for conditional access app controls (CAAC)? Which other apps do you have configured for CAAC? In my test case, I was able to get MCAS to block copy/paste for GitHub and not block for Office 365 using the configuration below. Please let me know! Thank you! SarahzinRe: Conditional Access "Monitoring" only shows admins in Activity Log
Hi Paul_Brock! Do you mind providing a couple screenshots of your AAD CA Policy and MCAS CAAC Policy? This isn't typical behavior and should monitor all users for that application. Is your AAD CA policy scoped to a specific group of admins? Also, is your MCAS deployment scoped for Admins for that specific app under Settings -> Scoped Deployment? Lastly, do you have activity privacy implemented? Thank you!Re: Failed Logins with Cloud App Security - Locked account
In addition to Caroline’s response, wanted to confirm that when you’re using Active Directory, that’s showing the alerts coming through Azure ATP as Azure ATP alerts are filtered using the application filter to Active Directory. You’re trying to find Azure ATP detected logins? SergioT1228Re: How to position MCAS against the features of AIP, O365 ATP, Azure ATP & AD Premium P2
Hi supercrisz! For AIP, or Unified Labeling if you've migrated over, one of the biggest benefits is to be able to see all your sensitive files in the cloud in one single place. By doing so, you're able to apply labels and protect files in apps that are both under Microsoft (OneDrive for Business, SharePoint Online) as well as through the connected apps, such as Box; a single file policy can cover multiple apps. In addition, MCAS can apply these configurations on already existing files within these apps. Using AIP P2 definitely gives you the ability to automatically classify and protect within your environment but the functionality in MCAS builds upon existing labels and protections and applies it to additional apps, when configured correctly. For the Conditional Access App Control, it builds upon what is identified in AAD, mainly with session controls by adding granularity especially with the files. Benefits: Block download, cut, copy, and print of sensitive documents. Monitor risky session behavior. Require labeling of sensitive files. Say you have a user downloading a sensitive file from Box but they're using non-compliant device and therefore, has a risky session, you can use MCAS to protect that file when they download or, block downloading overall. Over all, with information protection, MCAS allows you to classify and protect outside of your current environment from one unified location. Some helpful documents on prerequisites: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-aad I hope this helps!Re: Saved a File to a local drive
Jeff Harlow In addition, my colleague Jacques van Zijl authored the the following query: Files saved to USB: DeviceFileEvents | where FolderPath !contains @"c:\" and FolderPath !contains @"\\" and FolderPath !contains "HarddiskVolume" and FolderPath !contains @"sms\pkg" and FolderPath !contains @"sms\bin" and FolderPath !contains @"SCCM_Deployments"and DeviceName !contains "arcade" and FileName !contains ".mui" | project Timestamp, InitiatingProcessAccountName, DeviceName, ActionType, FileName, FolderPath,InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp descRe: Saved a File to a local drive
Jeff Harlow Do you currently have MDATP deployed? Using Advanced Hunting, you're able to do some investigations on if a file was downloaded to a USB. It may not be what you're looking to do but could be a good workaround or at least, provide more information than you originally had. https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152
